1141 matches found
futures_task::waker may cause a use-after-free if used on a type that isn't 'static
Affected versions of the crate did not properly implement a 'static lifetime bound on the waker function. This resulted in a use-after-free if Waker::wake is called after original data had been dropped. The flaw was corrected by adding 'static lifetime bound to the data waker takes...
Obstack generates unaligned references
Obstack generates unaligned references for types that require a large alignment...
Memory safety issues in `compact::Vec`
compact::Vec contains multiple memory safety issues. 1. It mishandles large capacity and causes out-of-bound access in 32-bit / allocator layout mismatch in 64-bit. 2. remove is not panic-safe and causes double-free when an index larger than the length is provided...
`index()` allows out-of-bound read and `remove()` has off-by-one error
Slab::index does not perform the boundary checking, which leads to out-of-bound read access. Slab::remove copies an element from an invalid address due to off-by-one error, resulting in memory leakage and uninitialized memory drop...
Misbehaving `HandleLike` implementation can lead to memory safety violation
Unsafe code in ObjectPool has time-of-check to time-of-use TOCTOU bug that can eventually lead to a memory safety violation. ObjectPool and HandlePool implicitly assumes that HandleLike trait methods are pure, i.e., they always return the same value. However, this assumption is unsound since...
`cell-project` used incorrect variance when projecting through `&Cell<T>`
Overview The issue lies in the implementation of the cellproject macro which used field as const instead of field as mut . The problem being that const T is covariant in T while mut T is invariant in T. Keep in mind that &Cell is invariant in T, so casting to const T relaxed the variance, and lea...
Chunk API does not respect align requirement
Chunk API does not respect the align requirement of types. Unaligned reference can be created with the API, which is an undefined behavior...
Matrix::new() drops uninitialized memory
Matrix::new internally calls Matrix::fillwith which uses ptr = value pattern to initialize the buffer. This pattern assumes that there is an initialized struct at the address and drops it, which results in dropping of uninitialized struct...
Multiple security issues including data race, buffer overflow, and uninitialized memory drop
arr crate contains multiple security issues. Specifically, 1. It incorrectly implements Sync/Send bounds, which allows to smuggle non-Sync/Send types across the thread boundary. 2. Index and IndexMut implementation does not check the array bound. 3. Array::newfromtemplate drops uninitialized memo...
StrcCtx deallocates a memory region that it doesn't own
StrcCtx deallocate a memory region that it doesn't own when StrcCtx is created without using StrcCtx::new. This can introduce memory safety issues such as double-free and use-after-free to client programs...
Missing sanitization in mozwire allows local file overwrite of files ending in .conf
The client software downloaded a list of servers from mozilla's servers and created local files named after the hostname field in the json document. No verification of the content of the string was made, and it could therefore have included '../' leading to path traversal. This allows an attacker...
mach is unmaintained
Last release was almost 4 years ago. Maintainers seem to be completely unreachable. Possible Alternatives These may or may not be suitable alternatives and have not been vetted in any way; - mach2 - direct fork...
Improper uniqueness verification of signature threshold
The tough library, prior to 0.7.1, does not properly verify the uniqueness of keys in the signatures provided to meet the threshold of cryptographic signatures. It allows someone with access to a valid signing key to create multiple valid signatures in order to circumvent TUF requiring a minimum...
mozjpeg DecompressScanlines::read_scanlines is Unsound
This issue and vector is similar to RUSTSEC-2020-0029 of rgb crate which mozjpeg depends on. Affected versions of mozjpeg crate allow creating instances of any type T from bytes, and do not correctly constrain T to the types for which it is safe to do so. Examples of safety violation possible for...
Ozone contains several memory safety issues
Ozone contains several memory safety issues including out-of-bound access and dropping of uninitialized memory...
Undefined Behavior in bounded channel
The affected version of this crate's the bounded channel incorrectly assumes that Vec::fromiter has allocated capacity that same as the number of iterator elements. Vec::fromiter does not actually guarantee that and may allocate extra memory. The destructor of the bounded channel reconstructs Vec...
linked-hash-map creates uninitialized NonNull pointer
Affected versions of this crate called mem::uninitialized to create a NonNull, which is undefined behavior. The flaw was corrected by avoiding the use of mem::uninitialized...
`pnet_packet` buffer overrun in `set_payload` setters
As indicated by this issue, a buffer overrun is possible in the setpayload setter of the various mutable "Packet" struct setters. The offending setpayload functions were defined within the struct impl blocks in earlier versions of the package, and later by the packet macro. Fixed in the packet...
HTTP Request smuggling through malformed Transfer Encoding headers
HTTP pipelining issues and request smuggling attacks are possible due to incorrect Transfer encoding header parsing. It is possible conduct HTTP request smuggling attacks CL:TE/TE:TE by sending invalid Transfer Encoding headers. By manipulating the HTTP response the attacker could poison a...
Allows viewing and modifying arbitrary structs as bytes
Affected versions of rgb crate allow viewing and modifying data of any type T wrapped in RGB as bytes, and do not correctly constrain RGB and other wrapper structures to the types for which it is safe to do so. Safety violation possible for a type wrapped in RGB and similar wrapper structures: If...
Improper Synchronization and Race Condition in vm-memory
rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attackers to cause a denial of service loss of IP networking because readobj and writeobj do not properly access memory. This affects aarch64 with musl or glibc and x8664 with musl...
traitobject assumes the layout of fat pointers
This crate gets the data pointer from fat pointers assuming that the first element in a fat pointer is the data pointer. This is currently true, but it may change in a future Rust version, leading to memory corruption. This has been fixed in the master branch of the crate, but is has not been...
Double free when calling `sys_info::disk_info` from multiple threads
Affected versions of sys-info use a static, global, list to store temporary disk information while running. The function that cleans up this list, DFCleanup, assumes a single threaded environment and will try to free the same memory twice in a multithreaded environment. This results in consistent...
Use after free in ArcIntern::drop
ArcIntern::drop has a race condition where it can release memory which is about to get another user. The new user will get a reference to freed memory. This was fixed by serializing access to an interned object while it is being deallocated. Versions prior to 0.3.12 used stronger locking which...
`LocalRequest::clone` creates multiple mutable references to the same object
The affected version of rocket contains a Clone trait implementation of LocalRequest that reuses the pointer to inner Request object. This causes data race in rare combinations of APIs if the original and the cloned objects are modified at the same time...
crate has been renamed to `block-cipher`
This crate has been renamed from block-cipher-trait to block-cipher. The new repository location is at:...
tokio-rustls reads may cause excessive memory usage
tokio-rustls does not call processnewpackets immediately after read, so the expected termination condition wantsread always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS...
rio allows a use-after-free buffer access when a future is leaked
When a rio::Completion is leaked, its drop code will not run. The drop code is responsible for waiting until the kernel completes the I/O operation into, or out of, the buffer borrowed by rio::Completion. Leaking the struct will allow one to access and/or drop the buffer, which can lead to a...
`array!` macro is unsound in presence of traits that implement methods it calls internally
Affected versions of this crate called some methods using auto-ref. The affected code looked like this. rust let mut arr = $crate::core::mem::MaybeUninit::uninit; let mut vec = $crate::ArrayVec::::newarr.asmutptr as mut T; In this case, the problem is that asmutptr is a method of &mut MaybeUninit...
bigint is unmaintained, use uint instead
The bigint crate is not maintained any more and contains several known bugs including a soundness bug; use uint instead...
stdweb is unmaintained
The author of the stdweb crate is unresponsive. Maintained alternatives: - wasm-bindgen - js-sys - web-sys...
futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer
Affected versions of the crate used a UnsafeCell in thread-local storage to return a noop waker reference, assuming that the reference would never be returned from another thread. This resulted in a segmentation fault crash if Waker::wakebyref was called on a waker returned from another thread du...
failure is officially deprecated/unmaintained
The failure crate is officially end-of-life: it has been marked as deprecated by the former maintainer, who has announced that there will be no updates or maintenance work on it going forward. The following are some suggested actively developed alternatives to switch to: - anyhow - eyre - fehler ...
`net2` crate has been deprecated; use `socket2` instead
The net2 crate has been deprecated and users are encouraged to considered socket2 instead...
Crash causing Denial of Service attack
Server or client applications that call the SSLcheckchain function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signaturealgorithmscert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm i...
fake-static allows converting any reference into a `'static` reference
fake-static allows converting a reference with any lifetime into a reference with 'static lifetime without the unsafe keyword. Internally, this crate does not use unsafe code, it instead exploits a soundness bug in rustc: https://github.com/rust-lang/rust/issues/25860...
Relies on undefined behavior of `char::from_u32_unchecked`
The Windows implementation of this crate relied on the behavior of std::char::fromu32unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 at least, that behavior could change with any new Rust version, possibly leading a security issue. The flaw was...
Library exclusively intended to obfuscate code.
This crate allows you to write safe functions with unsafe bodies without the unsafe keyword. The value this adds is questionable, and hides unsafe usages from naive analysis...
Various memory safety issues
Several memory safety issues have been uncovered in an audit of rusqlite. See https://github.com/rusqlite/rusqlite/releases/tag/0.23.0 for a complete list...
`stb_truetype` crate has been deprecated; use `ttf-parser` instead
This crate was maintained for use in rusttype which has switched to use ttf-parser...
`read_scalar` and `read_scalar_at` allow transmuting values without `unsafe` blocks
The readscalar and readscalarat functions are unsound because they allow transmuting values without unsafe blocks. The following example shows how to create a dangling reference: fn main deriveCopy, Clone, PartialEq, Debug struct S&'static str; impl flatbuffers::EndianScalar for S fn...
arr! macro erases lifetimes
Affected versions of this crate allowed unsoundly extending lifetimes using arr! macro. This may result in a variety of memory corruption scenarios, most likely use-after-free...
use-after or double free of allocated memory
Conversion of BitVec to BitBox did not account for allocation movement. The flaw was corrected by using the address after resizing, rather than the original base address...
Flaw in `realloc` allows reading unknown memory
When reallocing, if we allocate new space, we need to copy the old allocation's bytes into the new space. There are oldsize number of bytes in the old allocation, but we were accidentally copying newsize number of bytes, which could lead to copying bytes into the realloc'd space from past the chu...
CBox API allows to de-reference raw pointers without `unsafe` code
CBox and CSemiBox are part of the public API of the cbox crate and they allow to create smart pointers from raw pointers and de-reference them without the need of unsafe code...
Flaw in hyper allows request smuggling by sending a body in GET requests
Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted as a separate HTTP request. This allows an attacker who can control...
tiberius is unmaintained
The author of tiberius has archived the GitHub repository and left the following note: I do not have the time to overhaul the library and do not intend to further maintain the 0.3 version relying on the old futures ecosystem. Suggested alternatives are: - odbc - sqlx forthcoming...
Lifetime boundary for `raw_slice` and `raw_slice_mut` are incorrect
The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::rawslice and RowMut::rawslicemut. They do not conform with Rust's borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation resul...
rulinalg is unmaintained, use nalgebra instead
The rulinalg crate is no longer maintained, use nalgebra instead...
lzw is unmaintained
The author of the lzw crate is unresponsive. Maintained alternatives: - weezl...